Hello,
I'm new to libvirt. I have tried to launch a sev vm with secret
injection recently, and I found the command domsetlaunchsecstate is what I
need. But I had some problem to make it work. Here is what I did to use
this command.
1. run command: virsh create sev-guest.xml
2. create secret header file and secret file.
3. run command: virsh domsetlaunchsecstate sev-guest-1
--secrethdr <hdr-filename> --secret <secret-filename> .
But it will report this error: SEV: not in correct state.
I think it is because the vm is not in a paused state. So how can I launch
a sev vm which is in a paused state? How should I revise my xml file?
The sev-guest.xml I use is as follows:
<domain type="kvm">
<name>sev-guest-1</name>
<uuid>d50a4205-40e0-4482-b0dc-f26bb4a1a9ff</uuid>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="
http://libosinfo.org/xmlns/libvirt/domain/1.0">
<libosinfo:os
id="http://ubuntu.com/ubuntu/16.04"/>
</libosinfo:libosinfo>
</metadata>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<memtune>
<hard_limit>4563402</hard_limit>
</memtune>
<vcpu>32</vcpu>
<cpu mode='custom' match='exact' check='partial'>
<model fallback='forbid'>EPYC</model>
</cpu>
<os>
<type arch="x86_64" machine="q35">hvm</type>
<loader readonly="yes"
type="pflash">/data01/OVMF.fd</loader>
<nvram
template="/data01/OVMF.fd">/var/lib/libvirt/qemu/nvram/sev-guest-1_VARS.fd</nvram>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
</features>
<clock offset="utc">
<timer name="rtc" tickpolicy="catchup"/>
<timer name="pit" tickpolicy="delay"/>
<timer name="hpet" present="no"/>
</clock>
<pm>
<suspend-to-mem enabled="no"/>
<suspend-to-disk enabled="no"/>
</pm>
<devices>
<emulator>/usr/local/bin/qemu-system-x86_64</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="qcow2"/>
<source file="/data01/AMDSEV/sev-guest-1.qcow2"/>
<target dev="sda" bus="scsi"/>
</disk>
<controller type="scsi" index="0"
model="virtio-scsi">
<driver iommu="on"/>
</controller>
<controller type="virtio-serial" index="0">
<driver iommu="on"/>
</controller>
<controller type="usb" index="0" model="ich9-ehci1"/>
<controller type="usb" index="0" model="ich9-uhci1">
<master startport="0"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci2">
<master startport="2"/>
</controller>
<controller type="usb" index="0" model="ich9-uhci3">
<master startport="4"/>
</controller>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x8'/>
<alias name='pci.1'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x0'
multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x9'/>
<alias name='pci.2'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0xa'/>
<alias name='pci.3'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0xb'/>
<alias name='pci.4'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x3'/>
</controller>
<console type="pty"/>
<input type="tablet" bus="usb"/>
<graphics type="vnc" port="-1" listen="127.0.0.1"/>
<video>
<model type="vga"/>
<address type='pci' slot='0x07'/>
</video>
<memballoon model="virtio">
<driver iommu="on"/>
</memballoon>
</devices>
<launchSecurity type="sev">
<cbitpos>51</cbitpos>
<reducedPhysBits>1</reducedPhysBits>
<policy>0x05</policy>
<dhCert>XXXXXXXXX</dhCert>
<session>XXXXXXXXXXXXXXXXx</session>
</launchSecurity>
</domain>
Thank you in advance,
Peixuan